Systems and Methods for Detecting Obfuscated Malware

US 20110010697A1
Filed: 07/10/2009
Published: 01/13/2011
Est. Priority Date: 07/10/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for malware detection, the method comprising:

loading at least a portion of a software code into a system memory;

converting the loaded software code into a low-level programming language;

simplifying complex instructions in the converted code into basic instructions;

constructing a data flow model of the simplified software code;

analyzing dependencies and interrelations of code elements of the data flow model to identify obfuscated software codes therein;

optimizing one or more identified obfuscated codes in the data flow model; and

determining based on results of optimization whether the software code is malicious.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for efficient and reliable analysis, optimization and detection of obfuscated malware. One disclosed example method for malware detection includes loading an executable software code on a computer system and disassembling the software code into an assembly language or other low-level programming language. The method then proceeds to simplifying complex assembly instructions and constructing a data flow model of the simplified software code. The dependencies and interrelations of code elements of the data flow model are analyzed to identify obfuscated software codes therein. The identified obfuscated codes are then optimized. Based on the results of optimization, determination is made whether the software code is malicious and/or whether further antimalware analysis of the optimized software code is necessary.

Citations

20 Claims

1. A computer-implemented method for malware detection, the method comprising:
- loading at least a portion of a software code into a system memory;
  
  converting the loaded software code into a low-level programming language;
  
  simplifying complex instructions in the converted code into basic instructions;
  
  constructing a data flow model of the simplified software code;
  
  analyzing dependencies and interrelations of code elements of the data flow model to identify obfuscated software codes therein;
  
  optimizing one or more identified obfuscated codes in the data flow model; and
  
  determining based on results of optimization whether the software code is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the software code includes an executable software code.
  - 3. The method of claim 1, wherein the step of loading the at least a portion of the software code into the system memory includes:
    - dividing a software code into a plurality of code blocks; and
      
      loading one or more code blocks into one or more memory buffers.
  - 4. The method of claim 3, wherein the steps of converting, simplifying, constructing, analyzing and optimizing are performed on two or more code blocks in parallel.
  - 5. The method of claim 1, wherein the step of converting the loaded software code into the low-level programming language includes disassembling the software code into assembly-language instructions.
  - 6. The method of claim 1, wherein the step of optimizing the one or more obfuscated codes includes one or more of removing a dead code, optimizing a distributed calculation, optimizing a reverse operation, optimizing a constant, calculation, optimizing a transfer instruction, optimizing a memory call, optimizing a flag operation, and optimizing a branch and a cycle instructions.
  - 7. The method of claim 1, wherein the step of determining based on the results of optimization whether the software code is malicious includes:
    - comparing an optimized software code with the original unoptimized software code; and
      
      determining a degree of code obfuscation based on the comparison.
  - 8. The method of claim 7, wherein the step of determining based on the results of optimization whether the software code is malicious further includes performing, based on the degree of code obfuscation, one or more of:
    - analyzing the optimized software code using signature matching;
      
      analyzing the optimized software code using heuristic analysis; and
      
      analyzing the optimized software code using human expert review of the software code.

9. A system for malware detection, the system comprising:
- a system memory for storing a computer-executable software code; and
  
  a processor configured toload at least a portion of the executable software code into the system memory;
  
  convert the loaded software code into a low-level programming language;
  
  simplify complex instructions in the converted code into basic instructions;
  
  construct a data flow model of the simplified software code;
  
  analyze dependencies and interrelations of code elements of the data flow model to identify obfuscated software code therein;
  
  optimize one or more identified obfuscated codes in the data flow model; and
  
  determine based on results of optimization whether the software code is malicious.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein to load at least a portion of the software code into the system memory, the processor is further configured to:
    - divide a software code into a plurality of code blocks; and
      
      load one or more code blocks into one or more memory buffers.
  - 11. The system of claim 10, wherein the processor is further configured to convert, simplify, construct, analyze and optimize two or more code blocks in parallel.
  - 12. The system of claim 9, wherein to convert the loaded software code into a low-level programming language, the processor is further configured to disassemble the software code into assembly-language instructions.
  - 13. The system of claim 9, wherein the obfuscated software code includes one or more of a dead code, a distributed calculation, a reverse operation, a constant calculation, a transfer instruction, a memory call, a flag operation, and a branch and a cycle instructions.
  - 14. The system of claim 9, wherein to determine whether the software code is malicious, the processor is further configured to:
    - compare the optimized software code with original unoptimized software code; and
      
      determine the degree of code obfuscation based on the comparison.
  - 15. The system of claim 14, wherein the processor is further configured to perform, based on the degree of code obfuscation, one or more of:
    - analyzing the optimized software code using signature matching;
      
      analyzing the optimized software code using heuristic analysis; and
      
      providing the optimized software code to a human expert for review.

16. A computer-implemented method for malware detection, the method comprising:
- loading at least a portion of a software code into a system memory;
  
  converting the loaded software code into a low-level programming language;
  
  simplifying complex instructions in the converted code into basic instructions;
  
  analyzing dependencies and interrelations between the instructions in the simplified software code to identify obfuscated software codes therein;
  
  optimizing one or more identified obfuscated codes in the simplified software code; and
  
  analyzing the optimized software code using signature matching or heuristic analysis malware detection technique to determine whether the software code is malicious.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the step of loading at least a portion of the software code into a system memory includes:
    - dividing a software code into a plurality of code blocks; and
      
      loading one or more code blocks into one or more memory buffers.
  - 18. The method of claim 16, wherein the step of converting the loaded software code into a low-level programming language includes disassembling the software code into an assembly-language instructions.
  - 19. The method of claim 16, wherein the step of optimizing one or more obfuscated codes includes one or more of removing a dead code, optimizing a distributed calculation, optimizing a reverse operation, optimizing a constant, calculation, optimizing a transfer instruction, optimizing a memory call, optimizing a flag operation, and optimizing branch and cycle instructions.
  - 20. The method of claim 16, wherein the step of analyzing the optimized software code includes recompiling the optimized software code and analyzing the recompiled optimized software code using signature matching or heuristic analysis malware detection technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Golovkin, Maxim Y.

Granted Patent

US 9,087,195 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/155
CPC Class Codes

G06F 21/563 by source code analysis

Systems and Methods for Detecting Obfuscated Malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Detecting Obfuscated Malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links